CVE-2026-47388

EUVD-2026-38611
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
2.3 LOW
NETWORK
HIGH
LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
nocodbnocodb
𝑥
< 2026.5.1
CNA
Common Weakness Enumeration
References
https://github.com/nocodb/nocodb/security/advisories/GHSA-xxpj-q764-9r6q